Wanted: SAN Certificate for two unique TLD domains for email

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: regoonline.com regodesigns.com

I ran this command: n/a

It produced this output: n/a

My web server is (include version): Apache/2.4.37 (Oracle Linux)

The operating system my web server runs on is (include version): Oracle Linux 8.6 (email server runs CentOS 7.0)

My hosting provider, if applicable, is: self hosted, onsite, postfix and dovecot

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.0

I need a SAN Cert that includes
regoonline.com
regodesigns.com
www.regoonline.com
www.regodesigns.com
estimator.regodesigns.com

Currently we send all employee to customer, order confirmations from SAP and invoices from SAP op-in emails using @regoonline.com. We still have email messages being classified "SPAM" or undelivered. WE SEND NOTHING UNSOLISITED.

Professional advice has suggested this is due to addresses being @regoonline.com but all the links inside point to regodesigns.com. So now we are going to migrate everyone to @regodesigns.com email addresses with the old @regoonline.com email address configured as an alias email address for each user.

From my understanding, each domain that is within the SAN is renewed when the SAN is renewed. Is that correct?

TIA

Hi @Sharpy, and welcome to the LE community forum :slight_smile:

Yes, the entire cert is renewed.

4 Likes

That doesn't sound very professional.

5 Likes

The explanation was akin to "sending from one domain while including multiple links to an alternate TLD is considered "spammy".

This Spam Test tool by another firm glockapps.com, super freaked my out first due to the part about sending emails to 70 provided addresses, however it shines a bright light on the issue.

GLOCK APPS SHARED DELIVERY REPORT

If you have professional advise to offer, I'd be grateful...

You have DKIM/DomainKeys/SPF set up, so that's a great start.

All your content to several providers is being listed as spam, while it passes others. Your IPs appear to be clean on public lists. That suggests your issue is not based on the email itself.

You need to read up on the deliverability guidelines for those specific networks – every major email provider has their own rules/regulations and publishes them. If you can't find the info, you can reach out to their email deliverability teams and ask why their network is blocking you. Often times this is because you have the same IP as a spammer they blocked 10+ years ago, other times it is because too many of their users marked your content as spam.

5 Likes

Just to avoid any misunderstanding...the SSL CERTIFICATE for each domain WITHIN the SAN certificate is renewed when the SAN certificate is renewed.

This is NOT referring to renewal of registration of the DOMAIN NAMES contained within the SAN certificate.

So, can anyone tell me if certbot is in fact able to issue a SAN Certificate for unique TLD domains for email as I have described?

And if so can you point me to some info on how it's accomplished, please?

Let's Encrypt is able to issue a cert for any combination of up to 100 FQDNs over which you can demonstrate control.

You've read the certbot docs, right? -d domain1 -d domain2 -d domain3 ...

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.